So I need to explicitly accept targeted ads from every company that shows targeted ads? Does this mean every website that shows targeted ads, or can a blanket large provider (e.g. Google) get a single consent and apply it to all websites hosting Google ads?
This seems like it would give a market advantage to Google, because they have products that people want and can likely get a fair number of people to consent if the consent was among useful consents. But smaller advertising companies would have a much harder time getting consent, especially if people don't recognize the name as providing anything useful.
And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
> And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
I'm not certain on the details, but in eg Norway that is already much in line with the GDPR ip addresses are considered personal data, and as such regulated. However, there are provisions for storing such information for auditing purposes (both security, technical and financial/invoicing) - but would likely require explicit consent. ("i accept"/"i will not use this service" - more of an informational confirmation - like signs stating a shop is under camera surveillance - and you could choose not to shop the (even if: good luck finding a shop w/o surveillance cameras)).
In general "personal data" is anything that can significantly help identify a single individual (time/place, ip, phone number/date, address, full name, email, etc).
Ed: regarding logging ips for auditing - there's usually a fixed time limit. It's longest afaik for financial purposes (and the data storage directive explicitly states/stated minimum duration - effectively being lobbied into a tool to go after amateur copyright infringement by forcing isps to keep records longer than before). But from a data protection viewpoint, you can't say/get consent for "we log for auditing" and then keep the data indefinitely . More like 6 or 12 months.
Yes. If the data cannot be tracked to one person, it is not regulated. So anonymous tracking cookies are still OK, but attaching it to an IP/name/phone number etc. is not.
I don’t believe that’s true. “Anonymous” tracking cookies are still unique to the individual and such can easily contribute to identifying them, and so are included as personal.
Only if you can/do meaningfully anonymize the data. Eg, knowing the subnet of most/all Norwegian isps, it's trivial to recover ips that are simply hashed (probably even with salt), similarly Norwegian phone numbers are only eight digits, so any kind of deterministic mapping is likely to be too trivial to actually amount to anonymization.
Also rember that one of the goals is to avoid illicit linking - so being able to verify that ip n.n.n.n is the same as slow_hash(salt+other-ip) won't fly as "not storing".
In general, anonymizing data in sparse populations is tricky - where "small" can be quite large. Just imagine building a bitfield of variables like: sex,age +/-50;2 bits. Rough location (easily 6 bits), browser (2 bits), mobile? 1 bit - that's already 12 bits etc. See also NYC taxi dataset, eg (not the article I had in mind, but seems to cover similar points):
The blanket version. Google et al neither sell nor (generally) share your data with advertisers. They make the decision on what to show to you and thus, only they need to get your consent once for that express purpose.
By the way: it's still a topic of heavy debate how much of this can be done through terms and conditions after all.
Disclaimer/source: working for large Google customer, involved in GDPR compliance. Edit: spelling.
But does the website itself where the ads are shown need to get consent?
How about this, what if I own a.com and embed an image from b.com (a completely different organization from me). And then b.com tracks the users' IP addresses, urls, referers, etc. Do I need to get permission for that? I'm not the one doing the tracking. Does b.com need to get permission for that? There's no opportunity for b.com go get permission, the user never is on a website controlled by them, there is never an opportunity to click an accept button for b.com . The user likely has never heard of b.com .
As far as I know, GDPR disallows “bundled” consent. Google will be obligated to provide all the same services even if it cannot use the data for targeted ads.
Yes, but if the consent checkbox is nestled among a lot of other useful checkboxes, the user will likely accept it because they won't notice that it's different at all.
And how granular do these consents have to be? Would there be a page with 100 consent boxes, with a top box saying "accept all" for people too lazy to sort through all of the boxes?
This seems like it would give a market advantage to Google, because they have products that people want and can likely get a fair number of people to consent if the consent was among useful consents. But smaller advertising companies would have a much harder time getting consent, especially if people don't recognize the name as providing anything useful.
And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?